The Dangers of Dependencies

By: Michael R. Bagnall

Last Updated: September 2, 2025

Dangers of Relying on Dependencies

• Security Vulnerabilities

  • Third-party libraries may contain unpatched exploits.
  • Attackers can compromise popular packages (e.g., supply chain attacks).

• Dependency Abandonment

  • Libraries may no longer be maintained, leaving bugs and security holes unaddressed.
  • Critical fixes might not be available when needed.

• Version Conflicts (“Dependency Hell”)

  • Different libraries may require incompatible versions of the same dependency.
  • Upgrading one dependency can break others.

• Performance Issues

  • Dependencies may add unnecessary overhead or inefficiency.
  • Large, bloated libraries can slow down applications.

• Licensing and Legal Risks

  • Some libraries may use restrictive licenses that conflict with project requirements.
  • License violations could lead to legal consequences.

• Loss of Control

  • Reliance on external code reduces visibility into implementation details.
  • Bugs or design flaws in dependencies can be difficult to diagnose or fix.

• Operational Risks

  • Package registries (e.g., npm, PyPI, Maven Central) can experience outages.
  • Package removal (intentional or accidental) can break builds.

Mitigation Strategies

• Audit and Monitor Dependencies

  • Use tools (e.g., Dependabot, Snyk, OWASP Dependency-Check) to scan for vulnerabilities.
  • Regularly review dependency lists and remove unused packages.

• Pin and Lock Versions

  • Use lockfiles (e.g., package-lock.json, Pipfile.lock) to ensure deterministic builds.
  • Avoid automatic upgrades without review.

• Prefer Actively Maintained Libraries

  • Check for recent commits, issue responsiveness, and release history.
  • Favor dependencies with large, active communities.

• Limit the Number of Dependencies

  • Implement simple functionality in-house when feasible.
  • Avoid adding dependencies for trivial features.

• Establish an Update Policy

  • Schedule regular dependency updates.
  • Test updates in staging before production deployment.

• Maintain Internal Mirrors or Caches

  • Host critical dependencies internally to prevent supply-chain or registry outages.
  • Archive source code of key libraries for long-term stability.

• Review Licensing

  • Ensure compatibility of dependency licenses with project requirements.
  • Document accepted licenses in development guidelines.

• Code Reviews and Security Practices

  • Review third-party code before adopting critical dependencies.
  • Follow least-privilege principles and sandbox risky dependencies if possible.